How to remove Antivirus 2010 (Uninstall Instructions)

Antivirus 2010 is the name of a variety of different rogues
from different malware families. This guide will focus on the latest rogue that
uses this name and that is a clone of Antivirus
2010 Security Centre. Antivirus 2010 is promoted through the use of malware
that will install it on to your computer without your permission or knowledge.
Once running it will scan your computer and state that there are numerous infections
present, but will state that it will not clean any of them until you first purchase
the program. The problem is that most of the infections it detects are actually
legitimate Windows programs that are not infected at all. Therefore, do not
try to manually delete any of the files it states are infections as it may cause
your computer to not operate correctly.

Antivirus 2010 Screen shotFor more screen shots of this infection click on the image above.There are a total of 3 images you can view.

As part of its defense mechanism, Antivirus 2010 will also terminate the majority
of programs that you attempt to run. When it terminates them it will also change
the security permissions on the executable so that you will not be able to run
the program again. You will know when Antivirus 2010 changes the permission
on a program because when you attempt to launch the program you will be greeted
with a Windows message that states:

Windows cannot access the specified device, path, or
file. You may not have the appropriate permissions to access the item.

If you are greeted with this message for one of your executables you can regain
access to the program by using the cacls.exe program that comes
installed with Windows. Simply go to a Command
Prompt and type the following command to give the Everyone group permission
to use the file again:

cacls <full path to the program> /G Everyone:F

As an example, if you attempt to launch Malwarebytes' and it gives the above
error, then you would type cacls "c:\program files\Malwarebytes'
Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard.
Once you enter that command and press enter, everyone on your computer will
then have access to the file again. If you are using Windows Vista or Windows
7 then you will have to use an elevated command prompt, which is explained
here.

As you can see, Antivirus 2010 uses false scan results to make you think your
infected so that you will purchase the program. It also takes your computer
hostage by disabling the use of your executables so that you can't properly
use your computer. Therefore, do not purchase this program, and if you already
have, please contact your credit card company and dispute the charges stating
it is an computer virus. To remove Antivirus 2010 and related malware, please
use the guide below.

These instructions are for advanced users. We will not be going into great
detail on how to perform these steps and it is expected that you will understand
what to do with the information provided below. If you do not feel comfortable
performing these steps, then please do not attempt them. Instead follow the
steps in this
topic in order to receive malware removal help from one of our helpers.

Please print out these instructions as we will be performing steps in an
environment that does not support Internet browsing.

As the main defense mechanism of
Antivirus2010
is a rookit, we must first reboot our computer into a the XP Recovery
Console or the Windows Vista/Windows 7 Recovery Environment in order to delete
certain files that will then allow us to remove this infection while booted
into Windows normally.

With this said, if you are using Windows XP, please reboot into the Windows
XP Recovery Console using the instructions found in this guide.

If you are using Windows 7 or Windows Vista, please use this guide to boot
into the Windows Recovery Environment. Please note that the following guide
was written for Vista, but applies to Windows 7 as well.

Once you are in the recovery environment you must rename the following files.
You can rename them as the same filename but ending with .bad.

c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
c:\WINDOWS\system32\drivers\vbma22b4.sys (Please note that the filename
may not be exactly the same, but should start with vbma)

The reason we state you should rename them instead of deleting them, is if
you delete the wrong file and Windows no longer operates correctly, you can
go back into the Windows recovery environment and restore the file to get
Windows working again.

Once these two files have been renamed, please type Exit
and reboot your computer so that it enters Windows normally.

Once you are in Windows, go into Add or Remove Programs
(Windows XP) or Uninstall a Program (Windows 7 and Vista)
in the Windows Control Panel. Once the Uninstall control panel is open, look
for Antivirus 2010 or Antivirus2010 and uninstall it.

Now download the following reg file for your corresponding version of Windows
and run it. When it asks if you would like to merge the data, please allow
it to do so.

For the next steps, if you attempt to run a program and it gives a permission
denied or similar error, then please use the CACLS program to restore permissions
as described in the description of the program above.

You can now now download Malwarebytes Anti-Malware, or MBAM, from the following
location and save it to your desktop:

Once downloaded, close all programs and Windows on your computer, including
this one.

Double-click on the icon on your desktop named mbam-setup.exe.
This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings
and when the program has finished installing, make sure you leave both the
Update Malwarebytes Anti-Malware and Launch
Malwarebytes Anti-Malware checked. Then click on the Finish
button.

MBAM will now automatically start and you will see a message stating that
you should update the program before performing a scan. As MBAM will automatically
update itself after the install, you can press the OK button
to close that box and you will now be at the main program as shown below.

On the Scanner tab, make sure the the Perform
full scan option is selected and then click on the Scan
button to start scanning your computer for
Antivirus 2010
related files.

MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
image below.

When the scan is finished a message box will appear as shown in the image
below.

You should click on the OK button to close the message box and continue with
the
Antivirus2010
removal process.

You will now be back at the main Scanner screen. At this point you should
click on the Show Results button.

A screen displaying all the malware that the program found will be shown
as seen in the image below. Please note that the infections found may be different
than what is shown in the image.

You should now click on the Remove Selected button to remove
all the listed malware. MBAM will now delete all of the files and registry
keys and add them to the programs quarantine. When removing the files, MBAM
may require a reboot in order to remove some of them. If it displays a message
stating that it needs to reboot, please allow it to do so. Once your computer
has rebooted, and you are logged in, please continue with the rest of the
steps.

When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
window.

You can now exit the MBAM program.

As many rogues and other malware are installed through vulnerabilities found
in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here: